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(54) AES Encryption circuit . 

(57) A round processing unit in an encryption circuit 
comprises: a first Round Key Addition circuit (204) ttiat 
adds a round key value to input data; an intemiediate 
register/Shift Row transformation circuit (206) that ten>- 
porarlly stores the output of the first Round Key Addition 
circuit (204) and executes Shift Row transfomiatlon; a 
Byte Sub transf omatton circuit (207) into whfch th e val- 
ues of the Intermediate rBglsleryShlft Row transforma- 
tion circuit (20B) ane inputted and whfch executes Byte 
Sub transformation; a second Round Key Addition cir- 
cuit (208) Into which the values of the intennediate reg- 
ister/Shift Row transf omiation circuit (206) are Inputted 



and which adds round key values; a Mix Column trans- 
tonmatlon circuit (210) that executes Mbc Column trans- 
fonmatlon upon the outputs of the second Round Key 
Addition circuit (208); and a second selector (203) that 
outputs to the second Round Key Addition cb-cult (204) 
one of the outputs of a first selector (202), the interme- 
diate register/Shift Rowtransfonnation circuit (206), the 
Byte Sub transfomnatlon circuit (207), and the Mix Col- 
umn transformation circuit (21 0). Such an encryption cir- 
cuit reduces a scale of circuit and can achieve a certain 
level of high-speed processing In the Implementation of 
the AES block cipher. 
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Description 

BACKGROUND OF THE INVENTION 
s Technical Field 

[0001] The present Invention relates to an encryption drcult for implementing in hardware the Ffijndael algorithm, 
whbh is the next generation common key blocic encryption standard, (cnown as the AES (advanced encryption stand- 
ard), and will replace the current common.key block encryption standard In the US, called DES. 

to 

Description of Related Art 

[0002] A great variety of sen/ices are being considered that involve the Internet, Including electronic commerce and 

electronic money. These technoiofi^es are used not just In the daily fives of Individuate, but also in a wide range of 
IS fields, including transactions among corporations and Improving productivity. In particular, it is expected that encryption 

functions will be k>aded onto smart cards and nrobile handsets, for the purpose of verifying the identity of individuals, 

and that these technologies will i^e widely used for authentteation, digital signatures, and data encryption. 

[0003] Common key cryptography is used In these applications to prevent third parties from tapping on the Internet. 

The current standard adopted In the US for common key cryptography is DES; as its replacement, the AES (advanced 
^ encryption standard), known as the Rljndael algorithm, has been selected to be next generation common key block 

cryptography standard, and this algortthm is becoming the new standard. fThe AES draft is avalta|)le at httpy/csic.nist. 

gov/pubttcatlons/drafts/dfips-AES.pdf) - 

[0004] AES is a block cipher lor processing In block lengths of 128 bits, and the encryption algorithm, as shown In 
FIG. 1, is thought to be executable by an encryption circuit comprising a round function unit 20 and a key schedule 
5S unit 10. The roundfunctlon unit 20 comprises an input reglster21 that temporarily stores input data, an XOF^ processing 
. unit 22 that XORs the Input data and expanded key segment, a round processing unit .23, a final round processing unit 
24 and an output register 25 that temporarily stores output data. 

[0005] The round processing unit 23 comprises a Byte Sub transfonnation unit 31 . a Shift Row transforimatlon unit 
32. a M\x Column transformation unit 33 and a Round Kay Addition unit 34; the final round processing unit 24.perf bnms 
30 the processing of the round processing unit 23 except for the Mix Column transfonnation 33; it comprises a Byte Sub 
transfonnation unit 35, a Shift l^w transfonmation unit 36 and a Round Key Addition unit 37. 
[0006] Round processing Iterated; the number of rounds Nr Including the final round depends on the key length 
inputted Into the key schedule unjt 1 0, and is defined as shown in fable 1 . 

35 " ' • ■ [Table 1] . . 



Key Length and Number of Rpuncfe 


Key l_ength 


Nr 


128bit 


. 10 • 


192brt 


12 


256bft 


14 



[0007] Thus for each key length round processing is executed Nr-1 timeis, and at the end ttie final round processing 
is executed. When the key length Is 128 bits, round processing is executed 9 times; when 192 bits, 11 times; and when 
256 bits, 13 times; and then in each case the final round processing Is executed. Round keys generated at the key 
schedule unit 10 are inputted into the XOR processing unit 22, round processing unit 23 and final round processing 
unit 24. 

[OOOq The key schedule unit 10 generates round keys.based on the key generatton schedule specffled In the AES 
draft; that algorithm Is shown In FIG. 2. 

[0009] The AES Proposal specification (AES Proposal: Rijndaei, ^at httpy/csrc.nist.gov/encryption/aes/rijndael/Rljn- 
dael.pdf) introduces 2 hardware implementations ifor AES block cipher cincuits. 

[001 0] One of these Is a m^hod for hardware Implementation, In 1 2B bit units, of all the functions shown In RQ. 1 
as they are (hetBinafter, "conventional example 1 in this case, for encryption and dectyption, the order of processing 
of the functions Is reversed, and thus It is necessary to prepare separate processing circuits for encryption and de- 
cryption. 

[0011] Also, because, as shown in Table 1 , it Is necessary to change the number of times round processing Is exe- 
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cuted depending upon the key length, It is necessary to create circuits for each key length. 

[0012] Furthennore» because of the reversal of order between encryption and decryption, the order of key generation 
in the key schedule unit 1 0 forthe round keys used in the round function unit 20 has to be reversed between encryption 
and decryption. Therefore, either there has to be 2 separate key schedule units, for encryption and for decryption, or 

5 a method has to be devised for using the key schedule unit 10 tor both enciyptlon and decryption. 

[001 3] The second method, as shown In FIG. 3, Involves creating a coprocessor 50 that has a Byte Sub transformation 
unit 51 and a Mix Column transfonnatlon unit 52. and Implementing in hardware only the Byte Sub transformation and 
the Mix Columri transformation functions, and having all other functions incorporated as software into a program 41 , 
and then processing with a CPU 40 (hereinafter, "conventional example 2"). 

10 [0014] In this case, Byte Sub transformation and Mix Column transformation, which are unsulted for processing by 
the CPU 40 for reasons of processing time, are Implemented in hardware as Che coprocessorSO, and the other process- 
ing is processed by the program 41 stored in the CPU, thus allowing the circuit scale to be reduced. 
[0015] If we suppose that the AES block cipher Is to be incorponated Into a smart carti or the like, the functions 
required of an encryption circuit would be to maintain a certain level of processing speed, white keeping the scale of 

1^ the circuit small. Wfth these requirements, the conventionally proposed method of Implementing all the functions In 
12B-bit units results In the scale of drcuit being too large, making the loading Thereof onto a smart card difficult. With 
the method of Implementing in hardware only the Byte Sub transfomiatlon and the Mix Column transformation, and 
processing the other functions with software, there Is the problem of the processing speed requirements not being 
fulfilled. 

[001.6] Moreover, with the key schedule unit 10 that generates the round, keys, If all the round keys are stored in 
memory, a large-capacity memory is needed, and this would make the scale of circuit large. Therefore, In order to 
reduce the scale of circuit without reducing processing speed, It is desirable to generate round keys with a circuit 
constitution that does not require storing the entire expanded key in memory. 

SUMMARY OF THE INVENTION 

[001 7] It is an object of the present invention to present an encryption drcuit that js small in scale and that can achieve 
a certain level of processing speed when Implementing the AES block dpher. 

(001 8] The present Invention provides an encryption drcuit tfial generates from a dpher key a plurality of round keys 
so having a number of bits conesponding to a predetenmlned processing block length and executing, for each processing 
block length, Input data and round key encryption/decryption processing, by means of a n>und function unit comprising 
an XOR operation unit that XORs the input data and one of the round keys and a round processing unit that iterates 
round- processing that includes Byte Sub transfomnation, Shift Row transformation. Mix Column transfomriation and 
Round Key Additwn. wherein: 

35 the round processing unit comprises: a first selector tTjat segments input data into execution block lengths smaller than 
the processing block length; a first Round Key Addition drcuit that adds the round key value to input data for each the 
execution block length; an intemiedlale register/Shift Row transfonnallon circuit that temporarily stores the output of 
the first Round Key Addition circuit and executes Shift Row transfomiatlon using the processing btock length; a Byte 
; Sub transfomiBtion circuit wherein the intermediate register/Shift Row transformation circuit value Is inputted for each 

40 the execution bfock length and Byte Sub transfonnation is executed; a second Round Key Addition circuit wherein the 
intermediate register/Shift Row transfomriation drcuit value Is Inputted for each the execution block length and the 
round key value Is added for each the execution block length; a Mix Column transfomiation circuit executing Mix Column 
transformation on the output of the second Round Key Addition circuit; and a second selector that outputs to the first 
Round Key Addition circuit one output from among the outputs of the first selector. Intermediate reglstei/Shlft Row 

49 . transformation drcuit, Byte Sub transformation circuit, or Mix Column transfonmation circuit. 

[0019] Here, the execution block length can be.a multiple of 8 bits, the processing block length can be 128 bits and 
the execution block ten^h can be 32 bits. 

[0020] Further, the key length of the dpher key can be any of 128 bits, 1 92 bits or 256 bits. 

[0021] Also, the Byte Sub transformation drcuit can comprise a matrix operation unit for decryption that executes a 
so matrix operation on input data; a third selector that outputs either the Input data or the output of the matrix operation 
unit for decryption; an Inverse operation unit for executing an inverse operation on the data outputted from the third 
selector, a matrix operation unit for encryption that executes a msitrlx operation on the data outputted from the Inverse 
operation unit; and a fourth selector that outputs either the output of the inverse operation unit or the output of the 
matrix operation unit for encryption . 
95 [0022] Further, the ma^ operation unit for decryption and the matrix operation unit for encryption comprises an 
XOR drcuit so as to perform 8-bIt operations at one dock cycle and the matrix operation unit for decryption and the 
matrix operation unit for encryption comprises an XOR circuit so as to perfomi 1-bit operations at one clock cycle. 
[0023] Also.thelntermediate register/Shift Row transformation drcuit can be usedforboth encryption and decryption 
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through the reversal of order of input of shift data relating to amount of shift for data to be inputted into the intermediate 
register/Shift Row transfomiatlon circuit, the input order for decryption being the reverse of the order for encryption. 
[0024] Further, the Mix Column transformation circuit can comprise a plurality of multiplication units with unique 
muJtlpliei^ and an XOR circuit that perfonns XOR operations for the plurality of multiplication units, the Mix Column 

s transformation circuit executing a matrix operation between data inputted Into each multiplication unit and the multiplier 
established for each multiplication unrt. In this case, the Mix Column transfonnation circuit connprlses 4 operation units 
having 4 multiplication units capable of 8-btt unit operations and XOR circuits that execute XOR operations based on 
theoutputsof the4mu1tiplicatbn units. This multiplication units can control2 multipliers and are used for both encryption 
anql decryption and the multiplication units can be constituted to control addition values from high-order bits, 

10 [0025] Also, an encryption circuit can be constituted so as to have a key expansion schedule circuit that generates 
from the cipher key, as an expanded key segmented into bit numbers corresponding to the execution block length, a 
plurality of round keys wth bit numbers con^sponding to a predetemnlned pmcessing block length. The key expansion 
schedule circuit comprises: 

IS a fifth selector that segments a cipher key Into the number of bits conresponding to the execution btock length and 

outputs the same; 

a shift register to which flip-flop circuits are connected at a plurality of stages, the flip-flop circuits latching data \n 
units of the execution block length; 

a first XOR circuit that XORs the output of the final stage flip-flop circuit of the shift register with one constant 
^ selected from among a group of constants; 

a sixth selector Into whrch are inputted the outputs of those flip-flops of the shift register that are involved in oper- 
ations for encryption and the outputs of those flip-flops involved In operations for decryption, and which selectively 
outputs one of these; 

a Rot Byte processing circuit that rotates the output of the sixth selector; 
ss a seventh selector into which the output of the sixth selector and the output of the Rot Byte circuit Is Inputted and 

which selectively outputs one of these; 

a Sub Byte processing circuit that executes Byte Sub transformation oh the output of tha seventh selectorfor each 
the execution block length; 

an eighth selector Into which the output of the sixth selector and the output of the Sub Byte processfng circuit are 
50 Inputted, and which selectively outputs one of these; : 

a second XOR circuit that executes an XOR operation based on the output of the first XOR dnnJlt and the output 
.of the eighth selector; and 

a shift register unit setector'that selecth^ely outputs, to those flip-flops of the shift register the outputs of which are 
subject to operations for encryption, eitherthe output of the second XOR circuit or the output of the adjacerit stage 

35 flip-flop. 

[0026] Here, the shift register comprises 6 flip-flops executing data processing in 32-bit units, and the sixth selector 
is constituted so that the outputs of the second, fourth, sixth and eighth flip-flops from the bottom from among the flip- 
flops are inputted therein, and that it outputs one of these. 

^0 [0027] Also, through the input into the seventh selector of the output of the intermediate reglster/Shrft Row transfor- 
mation circuit and the Input into the second selector of the output of the' Sub Byte processing circuit, a single circuit 
cari be used for the Sub Byte processing circuit and the Byte Sub transfonnation circuit of the round processing unit. 
[0028] From the following detailed description in conjunction with the accompanying drawings, the foregoing and 
other objects, features, aspects and advantages of the present Invention will become nsadlfy apparent to those skilled 

^ In the art 

BRIEF DESCRIPTION OF THE DRAWINGS 

[0029] 

SO ' , 

• FIG. 1 Is a block diagram of AES processing using the Rijndael algorithm; 
FIG. 2 is a key schedule program fet; 

FIG. 3 Is a block diagram showing.ona envlstohed circuit implementatton; 

FIG. 4 is a block diagram of a round function unit adopted in a first embodiment of the present inyention; 
S5 FIG. 5 is a block diagram showing an Intermediate registeiyShift Row transformation circuit; 

FIG. 6 is a block diagram showing a Mbc Column transfonmatfon circuit; 
FIG. 7 Is a block diagram showing the constitution of a multiplication unit; 
' FIG. 8 is a block diagram. showing another constitution of a multiplication unit; 
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FIG. 9 is a block diagram showing a key schedule unit; 
FIG. 10 is a block diagram showing a Byte Sub transformation circuit; 
RG. 11 is a block diagram showing a matrix operation circuit for encryption; 
FIG. 12 Is a block diagram showing a matrix operation circuit for decryption; 
5 FIG. 1 3 is a block diagram showing another example of a matrix operation circuit for encryption; and 

FIG. 1 4 Is a block diagram showing another exannple of a matrix operation circuit for decryption. 

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS 

10 Round Function Unit 

[0030] The AES block cipher is an algorithm that encrypts/decrypts the 128 bit data with the 128 bit, 1 92 bit or 256 
bit key. As shown In FIG. 1 , it comprises a key schedule unit 1 0 that generates a plurality of round keys from the cipher 
key, and a round function unit 20 that uses the round keys Inputted from the key schedule unit 1 0 to encrypt and decrypt. 

IS The pund function unit 20 performs such processing as XOR operations, Byte Sub transforrtiatlon processing, Shift 
Row transformation processing. Mix Column transfonmation processing, Round Key Addition processing. . 
[0031] The first embodiment of the present Invention is a circuit for implementation ot this round function unit 20, 
and the constitution of this circuit is shown in FIG. 4, Each circuit block executes 32-b It processing with the exception 
of Shift Row transf onnation processing, whbh is 1 2B-blt processing; transfer of data between circuit blocks is executed 

50 In 32-bft units. 

[0032] This round function unit contains: an input register 201 that temporarily stores input data; a first selector 202 
that selects 32-blt data from the 128-blt Input data; a second selector 203 Into one input terminal of which the output 
of the first selector 202 is inputted; a first Round Key Addition circuit 204 into which the output of the second selector 
203 ts Inputted; an add data selector 205 that inputs Into the first Round Key Addition circuit 204 an expanded key 

25 segment or "0*; an intermediate regfster/Shift Row transformation circuit 206 that stores the output value of the first 
Round Key Addition circuit 204 and executes Shift Row transformation in 128-bit units; a Byte Sub transformation 
c!rpult207 Into which intennediate register/Shift Row transformation circuit 206 values are inputted and which executes 
Byte Sub transfomnation; a second Round Key Addition circuit 208 into which Intermediate register/Shift Row transfor- 
mation circuit 206 values are inputted for each 32 bits; an add data selector 209 which inputs Into th^ second Round 

so Key Addition circuit 208 an expanded key segment or "0"; and a Mix Column transformation clrcult21 0 which executes 
Mix Column transf onnation on the output of the second Round Key Addition circuit 208. The outputs of the first selector 
202, Byte Subtransfomiation circuit 207, Mix Column transfomiatlon clrcuit210, and intermediate register/Shift Row 
transformation drcuit 206 are Inputted into the second selector 203, and one of these outputs is outputted to the first 
Round Key Addltton circuit 204. 

35 • . ■ • 

Operation Schedule during Encryptnn 

[0033] The operatton schedule during encryption in the round function unit is shown in TSble 2. 

40 



. 45 



so 



55 
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Round Function Operation Schedufe 
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Round 


Cyclo 


Procsssing 


SEUB 




0 


000-003 


Round Key Addition 


a 






004-007 


Byte Sub Transformation 


b 


10 


t 


OOd 


Shift Row Transformation 


c 


15 




009-012 


Mix Column Tran^sformation 
Round Key Addition 


c 




013-016 


Byte Sub Transformation 


b- 




2 


017 


SWft Row transfprmatton 


c 


20 




01&-W1 


Mix Column Transformation 
Round Key Addition 


c 






- 

Omittad 


■ 


1 

1 


25 








j 








Byte Sub TrQnsrformation 


b 




Nr-1 


(NM)*9-1 


Shift Row Transformation 


c 


30 




{Nr-1)*9 - 
(Nr-1>*9+3 


Mix Column Transformation 
Round Key Addition 


c 






#2 


Byte Sub Transformation 


b 


35 


. Nr 




Shift Row Transformation 


d 






Nr*9'- 
Nt*9+3 


Round Key Addition 


d 



#1 :(Nr-1)*9'5 - (l^1>9-2 • 
#2:Nr*9-5-Nrt^2 



Note: Tile table shows operations durtne encryptioa 
45 In fiecryptiorK the order of round key and Mix 

CofiOTin prooessfngs is svntched. 

[0034] Here. In round 0, adcfltlon of an expanded key seg^nent is executed by the first Round Key Addition drcult 
204 with a selector position of "a" for the second selector 203. Input data In the Input register 201 is selected \r\ 32 bit 

so units by the first selector 202 and Inputted Into the first Round Key Addition circuit 204, and to Ihls is added a portion 
of a round key, inputted from the key schedule unit, this portion being a 32-bit segment of the expanded l<ey. While the 
input data and the expanded key are being changed into units, the first Round Key Addltmn circuit 204 executes 
addition processing, and the XOR procoGsIng of the XOH unit 22 in RG, 1 Is thereby executed on 1 2B-bit processing 
blocks In the 4 cycles of cycles 000 through 003. The result of the operation by the first Round Key Addition circuft 204 

S5 is stored in order in 32-bit units in the intemnediate register/Shift Row tranaformatton circuit 206. 

[0035] In round 1 . the round processing 23 in FIG. 1 Is executed, and Byte Sub transformation processing 31 . Shift 
Row transfonmatlon processing 32, Mix Column transfomnation processing 33. and Round Key Addition processing 34 
are ^ecuted. Thus, first of all, m cycles 004 through 007. with a selector position of "b" for the second selector 203» 
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1 the data stored In the intermediate register/Shift Row transformation circuit 206, white being shifted in 32-blt units, is 

i read out and Inputted into the Byte Sub transfomiation clrcuft 207. At this time, by making the data to be selected by 

j the add data selector 205 "G", the first Round Key Addition circuit 204 is put Into a masked state. The result of the 

I operations of Byte Sub transformation circuit 207 is stored In order in 32-bit units In the Intermediate register/Shift Row 

• 5 transfomiatlon circuit 206. Thus Byte Sub transfonmation processing performs on 12B bits, and the result is stored in 

the Intermediate register/Shift Row transformation circuit 206.' 

[0036] Next, in cycle 008, Shift Row transformation processing Is executed. The intermediate register/Shift Row 
transfomiatlon circuit 206 is capable of executing Shift Row transformation processing In 128-bit units, and in this cycle 
008, 128-brt Shift Row transformation processing is executed. At this time, the selector position of the second selector 
10 203 may be any position, but in consideration of the processing in the next cycle, a position of "c" is preferable. 

[0037] In cycles 009 through 0012, Mix Column transformation processing and Round Key Addition processing are 
executed. Herein, the data stored In the intermediate register/Shift Row transfonmation circuit 206, while being shifted 
In 32-blt units, is read out and inputted Into the second Round Key Addition circuit 208. At this time, by making the data 
to be selected by the add data selector 209 "O-, the second Round Key Addition circuit 208 is put Into a masked state. 
IS By setting the selector position of the second selector 203 at "c-, the data upon which Mix Column transformation 
processing has ^een executed at the Mix Column transf omiation circuit 21 0 is Inputted into the first Round Key Addition 
circuit 204 via the second selector 203. An expanded key segment to be Inputted from the key schedule unit is selected 
for cfota to be selected by the add data selector 205, and this data undergoes Round Key Addition processing at the 
firat Round Key Addition circuit 204. The result of the Mix Column transfonnation processing at the Mix Column trans- 
£0 formation circuit 210 and the Round Key Addition processing at the first Round Key Addition circuit 204 are, while 
being each shifted in 32-bjt units, stored in the Intermediate nagister/Shift Row transfomtatlon circuit 206. Thus, the 
result of the 1 20 bits upon which Mix Column transformation processing and the Round Key Addition processing were 
executed in cycles 009 through 01 2 are stored in the Interniedlate register/Shift Row transformation circuit 206. in this 
i manner, one round of processing is executed In the 9 cycles of cycles 004 through 01 2. 

? -?5 [0038] Next, in rounds 2 through p^Jr-l), the same processing as In round 1 is executed (however, Nr is the number 

I of processing rounds Including the final round, and as shown in Table 1 , the number of rounds will differ according to 

i key length). 

[0039] In round Nr (the final round), the final round processing 24 of FIG. 1 is executed; this comprises Byte Sub 
transformation processing 35, Shift Row transformation processing 36 and Round Key Addition processing 37. 
30 [0040] Thus in cycles (Nr*9-5) through (Nr*9-2). with the selector position of the second selector 203 at "b", data 
stored In the intermediate reglsler/ShfPt Row transformation circuit 206. whHe being shifted In 32-bit units, is read out 
and inputted into the Byte Sub transfonnation circuit 207. At this time, by making the data to be selected by the add 
data selector 205 "0", the first Round Key Addition circuit 204 is put into a masked state: The result of the operation 
of the Byte Sub transfomiatlon circuit 207 is stored In onier in 32-blt units in the intennediate register/Shift Row trans- 
35 f omnatlon drcuit 206. Thus Byte Sub transfonnation processing of 1 28 bits Is perfomied, and the result is stored In the 
• intenriediate register/Shift Row transformation cini^it 206. 
[0041] Next, in the {lsir*9-1) cycle, 128-bit Shift Row processing is executed At. this time, the selectwn position of 
the second selector 203 may be any position, but In conslderatlori of thei processing of the next cycle, a position of "d" 
is preferable; 

[0042] in the {Nr*B) through (Nr*9-»^3) cycles. Round Key Addition processing is executed. Speciflcany, by making 
theselectorposition of the second 8elector203 "d", the data stored In the intermediate reg[ister/Shift Row transfonnation 
circuit 206, while being shifted in 32-bft units, is read out and inputted Into the first Round Key Addition circuit 204 via 
the second selector 203. At this tffne. by making data to be selected by the add data selector 205 ah expanded key 
segment to be inputted from the key schedule unit, the first Round Key Addition circuit 204 adds 32-bit round keys. 
The result of ttie Round Key Addition processing by the first Round Key Addition circuit 204 is stored in the intermediate 
register/Shift Row transformation circuit 206 while being shifted en 32-blt units. Thus In the (Nr^) through (Nr*9+3) 
cycira. the result of the Round Key Addition processing on the 128 biU Is stored In the Intermediate reglsten^hlft Row 
transformation circuit 206. In this manner, in the 9 cydes from (Nr^-6) through (NfS+S), final round probessing Is 
executed. 



40 



43 



SO 



SB 



Operation Schedule during Decryption 

[0043] Operations during decryption in this round function unit are performed In the reverse ortterto operations during 
encryption. This operation schedule is shown In T&ble 3. 
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\ (Table 3] 

1 Round Function Operation Schedule 



Round 


Cycle 


ProcessiRs 


5EUB 


0 


000-003 


Round Key Addition 


a 




004 


Shift Row Transfnrmfl+i nn 


b 




005-008 


Byte Sub Transformation 


b 


-f 
1 


009'O12 


■ "•MUM r%^y r\vmuan 

R^iv ■lAlt IVMM 1 Lf a 1 L - r \t 






013 


Snift Row I ran*ifrkmwtifiri 

^'■••^^ 1 i i W 1^1 1 1 lAUwf 1 


b 




014-017 


_Byte Sub Transformation 


b 


2 


018-021 


Round Key Addition 

Mw CoHimn Transformation 


c 




Omitted 










Shift Row Transformation 


b 




#1 


Byte Sl6 Transformation 


b 




{Nr-1)*9 - 


Round Key Addition ' 
_Mix Column Transformation 


c 




Nr*9-5 


Shift Row Trajnsfommtion 


b 




. #2 


Byte Sub Transformation 


b 


Nr 


Nr*9- 
Nr*fl+3 


Round Key. Add-on 


d 



#1 :(Nr"1)*»-4 - (Nr-1)*9-f 
#2:Nr*9^-NP>9-1 



[0044] In round 0. with the selector posWon of the second selector 203 at "a", the first Round Key Addition circuit 

204 adds expanded key segments. Input data in the input register 201 is selected in 32-bit units by the first selector 
202 and inputted into the fir^ Round Key Addition circuit 204, and from the round Icey to be inputted from the Icey 
schedule unit, a 32-bft expanded key segment Is added. At this time, data to be inputted via the first selector 202 Is 
inputted In an order that is the reverse of the input order for encryption, and the input order of the exjsanded key 
segments to be inputted from the key schedule input is also the reverse of the input order for encryption. In thiis manner, 
as the input data and expanded key are changed every 32 bits, the first Round Key Addition circuit 204 executes add 
processing, thereby allowing execution of Round Key Addition processing on a 128-bIt processing block in cycles 000 
through 003. The result of the operations of the first Round Key Additlori circuit 204 Is stored In 32-bit units In the 
intennediate register/Shift Row transfonnatlon dncuit 206. . 

[0045] In round t, processing is perfomried in the orcier of Shift Rowtransfonriatlon, Byte Sub transformation. Round 
Key Addition, and Mix Column transformalion. For this reason, first, In cycle 004, Iri the intemiediate register/Shift Row 
transformation circuit 20B, Shfft Row transformation processing is executed In 1 28-t)it units. In this case the processing 
Is the same as the Shift Row transformation processing during encryption. Also, the selector position of the second 
selector203 may be any position, but in consldenailon of the processing in the next cyde, a position of "b" is preferable. 
[0046] Next, in c^es 005 through 008, with a selector position of "b" for the second sielector 203, data stored In the 
Intennedlate register/Shift Row transfonnatlon circuit 206, while being shifted in 32-bit units, Is read out and Inputted 
into the Byte Sub transformation circuit 207. At this time, by making the data to be selected by the add data selector 

205 the first Round Key Addition drcult204 is put Into a ihasked state. The result of the operation by the Byte Sub 
transfonnatlon circuit 207 is stored In order in the inteimecSate register/Shift Row transformation ctrcuft 206 In a2-bft 
units. In this case, the Byte Sub transformation processing Is executed so as to be the Inverse of the transformation 
processing during encryption; this will be discussed below. In this manner, Byte Sub transfomiation prr>c6sslng is 
perfomied on 128 bits, and the result is stored in the Intennediate register/Shift Rowtransfonnatlon clnc^H 208. 
[0047] In cycles 009 through 01 2, Round Key Addition procossing and Mix Column transfomriatlon processing are 
executed. Here, data stored jn tfie Intenmedlate register/Shift Row transfomiation circuit 208, while being shifted In 
32-bit units, is read out and inputted Into the second Round Key Addition circuit 208. At this time, data selected by the 
add data selector 209 is made the expanded key segment Inputted from the key schedule unit. Also, with the selector 
position of the second selector 203 at '*c'. the output of the Mix Column transformation drcuit 210 is inputted into the 
first Round Key Addition circuit 204 via the second selector 203. At this time, by making the data to be selected by the 
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add data selector205 "0", the first Round Key Addttlon circuit 204 Is put into a masked state. In this case, Mix Column 
transfomnatlon processing Is executed In such a manner as to be tnanstoimation processing that is the inverse of the 
transfonnation processing during encryption; this will be explained in detail below. Thus the 128-bit resultant of the * 
Round Key Addition processing by the second Round Key Addition circuit 208 and of the Mix Column transformation 
5 processing by the Mix Column transformation circuit 21 0 is stored in the intemiedlate register/Shift Row transformation 
circuit 206. In this manner, on© round of processing is executed In the 9 cycles of cycle 004 through 012. 
[0048] Next, in rounds 2 through (Nlr-I ). the same processing as in round 1 is executed (however. Nr is the number 
of rounds including the final round, and as shown in Table 1 , different numbers of rounds are stipulated depending on 
key length). 

10 [0049] In round Nr (the final found), Shift Row transfonnalion processing, Byte Sub transfonriatlon processing and 
Round Key Addition processing are executed. 

[0050] For this reason in cycle (Nr*9-5), 128-blt Shift Row transformation processing is executed. At this time, the 
seiector position of the second selector 203 may be any position, but In consideration of the processing of the next 
cycie, a position of "b'* is preferable. 

<5 [0051] Next. In cycles (Nr9-4) through (Nr9-1), with the selector position of the second selector 203 at "b", data 
stored in the Intermediate register/Shift Row transfomnatlon circuit 206, while being shifted in 32-blt units, is read out 
and Inputted Into the Byte Sub transfomnatlon circuit 207. At this time, by making the data to be selected by the 205 
"0", tlie first Round Key Addition circuit 204 lis put into a masked state. Result of the operation by the Byte Sub trans- 
formation circuit 207.is stored In order In the intermediate register/Shift Row transformation circuit 206 in 32-bit units. 

so Thus Byte Sub transformation processing is conducted on 12B bits, and the result is stored In.the Intenrnedlate register/ 
Shift Row transfonnation circuit 206, 

[0052] In cydes (Nr*9) through (rMr*9+3), Round Key Addition processing is executed. Here, by making the selector 
position of the second selector 203 "d", data stored in the Intermediate register/Shift Row transformation circuit 206, 
while being shifted In 32-bit units, Is read out and inputted Into the first Round Key Addition cinsull 204 via the second 

55 selector 203. At this tin^, by making the data to be selected by tho add data selector 205 an expanded key segment 
Inputted from the key schedule unit, 32-bit Round Key Addition processing by the first Round Key Addition circuit 204 
can be executed. The result of the Round Key Addition processing in the first Round Key Addition circuit 204 is, While 
being shifted in 32-blt units, stored in the intennediato register/Shift Row transformation circuit 206. Thus in cycles 
(Nr*9) through (Nr*943), the 1 28-bit result of Round Key Addition processing is stored in the intermediate reglster^Shift 

BO Row transformation circuit 206. In this manner, the final round processing, is executed in the 9 cycles from cycles 
(Nr*9-6) through (Nr9+3). Intermediate Value Register/Shift Row Transformation Circuit 
[0053] FIG. 5 shows one emt>odiment of the Intermediate value register/Shift Row transfonnation circuit 
[0054] In this constitution, 4 shift registers that process in 8-bit units are provided. The first shift register has 4 flip- 
flops, flip-flops 302, 304, 306 and 308, connected In series, and to each of the flip-flops 302, 304, 306, and 308 selectors 

35 301 . 303. 305, and 307, which select Inputs, are respectively connected. Input data INO and the output of theflip-ftop 
• 302 are Inputted into the first selector 301 . and either one of these is inputted into the fllp-ftop 302. Similarly, Into the 
second through fourth selectors 303, 305 and 307, the outputs of the previous-stage flip-flops 302, 304, and 308. as 
wen as the outputs of the flip-flops 304, 306. and 308 are inputted, and one of these is inputted into the flip-flops 304, 
306 and 308, respectively. 

40 [0055] The second shift register has 4 flip-flops, flip-flops 312. 314, 316 and 318 connected In series; and to each 
of the fBp-flops 31 2. 31 4, 31 6 and 31 8 , selectors 3 1 1 , 3 1 3 , 31 5, and 31 7, which se lect Input, are respectively o^^ 
input data INI and the outputs of the flip-flop 312 and the f Bp-flop 318 are inputted into the first selector 311 , and one 
of these Is Inputted Into the flip-flop 312. Similarly, into the second through fourth selectors 313, 315 and 317, the 
outputs of the previous-stage flip-flops 312. 314, and 316, as well as the ou^uts of the flip-ftops 314, 316. and 318 

45 are inputted, and one of these Is Inpuned into the flip-flops 31 4, 316 and 318, respectively^ 

[O056] The third shift register has 4 flip-flops, flip-flops 322, 324. 326 and 328 connected in series; and to each of 
the flqa-flops 322, 324, 326 and 328, selectorB 321 , 323, 325, and 327, which select Input, are respectively connected. 
Input data IN2 and the outputs of the tilp-fiop 322 and the flip-flop 326 are Inputted into the flret selector 321 , and one 
of these Is inputted into the flip-flop 322. Similarly, into the second selector 323, the output of the respective previous- 

so stage fllp^lop 322, the output of the flip-flop 324, and the output of the flip-fiop 328 are Inputted, and one of theee is 
Inputted Into the fH3-flop324. Into the third selector 325, the output of the previous stage flip-flop 324, the output of the 
flip-flop 326, and the output of the flip-flop 322 are inputted, and one of these is inputted into the flip-flop 326. Into tho 
fourth 8ele<^or 327, the output of the previous stage flip-flop 326. the output of the flip-flop 328 and the output of the 
flip-flop 324 are inputted, and one of these is ir^mted into the flip-flop 328. 

ss [0057] The fourth shift register has 4 flip-flops. fUp-flops 332. 334, 336 and 338 connected in series; and to each of 
the flip-flops 332, 334. 336 and 338. selectors 331 , 333. 335, and 337. which select Input, are respectively connected. 
Input data IN3 and the outputs of the flip-flop 332 and the flip-flop 334 are Inputted into the flrst selector 331 , and one 
of these is inputted Into the flip-flop 332. Simiiarty. into the second selector 333, the output of the previous-stage flip- 
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10 



15 



flop 332, the output of the flip-flop 334, and the output of the flip-flop 336 am inputted, and one of these is inputted into 
theflip-ftop334. Into the third selector 335. the ouiput of the previous stage flip-flop 334, the output of the flip-flop 336, 
and the output of the flip-flop 338 are inputted, and one of these is inputted into the flip-flop 336, into the fourth selector 
337, the output of the previous stage flip-flop 336. the output of the flip-flop 338. and the output of the flip-flop 332 are 
inputted, and one of these is inputted into the fllp-flop 338. 

10058] When an intermediaie value register/Shift Row transfomiatlon circuit thus constituted Is operated as an In- 
tennedlate value register for the various processing stages, by inputting data Into Input data INO through IN3 in 8-blt 
units, data processed in each cycle in 32-bit units can be stored. Furthermore, by making the selector positions of the 
selectors 301 through 337 "b", and, v;hlle shifting the data in flip-flops to the next stage, inputting data In 8-bit units 
into input data \N0 through 1N3 respectively, 128 bits of data can be inputted in 4 cycles. When the Input of 1 28 bits of 
data has been completed, the 4 8-blt data inputted in the first cycle are latched in the flip-flops 308, 318, 328, and 338, 
respectively. 

[0059] An explanation will now be given of the operations of the Shift Row transfonnation. 

[0060] In the Rijndael algorithm, input data is segmented into 8-bit data segments aOO through a33 and these are 
processed as a matrix; the direction of the shiftf or decryption is the reverse of the direction for encryption. In the present 
invention, the order In which data Is processed is the order of the column anray; by processing in reverse order for 
encryption and for decryption, Shift Row ti'ansfomiailon can be achieved using the same processing. 



[Table 4] 



Data Amiy and Prooessing Order 



S5 



30 



Row 



f 

Column 



Row 





b01 


a02 


a03 




aOO 


aOI 


a02 






a11 


al2 


a13 


Column^ 




all 


a12 






a21 


a22 




aZO 


a21 


a22 






a31 


a32 


a33 




a30 


a31 


a32 





Encryption 



Decryption 



33 



40 



[0061] As shown oh Table 4 left, when.the detain rows Is arranged In order starting from the column to the far left, 
for encryption, processing is executed starting from the column to the far left. For decryption, as seen In Table 4 light, 
processing is executed starting frorn the column to the fiar right 

[0062] In Shift Row transformation processing for encryption, the rows of a data array arranged as oh Table 4 left 
are cyclically shifted different byte-lengths. Specifically, as shown in Table 5. the first row is not shifted, row2 is cyclically 
shifted one byte to the left, row 3 Is cyclically shifted 2 bytes to the left, and row 4 fe.cycOcally shifted 3 bytes to the . 
left. This.causes the pre-processing state, shown in Table 5 left, to become the post-processing state shown In Table 
5 right. 



43 



50 



55 



[Table 5] 
[ Ehciyption ] 

Pre-processing 



Post-processing 



aOO 


aO] 


a02 


a03 




aOO. 


aOI 


302 


a03 


alO 


air 


a12 


a13 


Cycfie Shift 1 Byte Left 


all 


a12 


a13 


alO 


a20 


a21 


a22 


a23 


Cyclic Shift 2 Bytes Left 


a22 


a23 


a20 


a21 


a30 


a31 


a32 


a33 


Cyclic Shift 3 Bytes Left 


a33 


a30 


a31 


a32 
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[0063] For decryption, so as to achieve the inverse of the processing during encryption, the rows of a data array 
arranged as on Table 4. left are cyclically shifted different byte-lengths. Specifically, as shown in Table 5, the first row 
is not shifted, row 2 is cyclically shifted 3 bytes to the left, row 3 is cyclically shifted 2 bytes to the left, and row 4 is 
cyclically shifted 1 byte to th© left. This causes the pre-processing state, shown In Table 6 left, to become the post- 
processing state shown in Table 6 right. 



10 



15 



20 



[Table 6} 

[ Decryption ] 

Pre-processing 



Post^p recessing 



aCK) 


a01 


a02 


a03 




aOO 


aOI 


a02 


a03 


alO 


all 


a12 


a13 


Cyclic Shift 3 Bytes Left 


a13 


a10 


afl 


al2 


a20 


a21 


a22 


a23 


Cyclic Shift 2 Bytes Left 


a22 


a23 


a20 


a21 


a30 


a31 


a32 


a33 


Cyclic Shift 1 Byte Left 


a31 


a32 


a33 


a30. 



25 



[0064] In the present ennbodiment, the Intemnediate value register/Shift Row transformation ctrcult shown In FIG. 5 
la used. Thus, at the stage when the Input of 128 bits of data has been completed, the data that was Inputted in the 
initial cycle is latched In the final stage flip-flops 308, 31 8, 328, and 338, and data Is latched In order in the previous 
stage flip-flops. When data is to be outputted, as It is being shifted 1 byte to the right at one cycle, data Is outputted 
from the final stage fUp-fiops at the far rtght. Therefore whan data is rearranged in consideration of the fact that the 
data processing order starts from the far right, the state before Shift Row processlr^g for encryption takes the form 
shown In Table 7 left 



30 



ss 



40 



[Table 7] 

C Encryption ] 
Pre— proc 



a03 


a02 


a01 


apO 




a03 


a02 


aOI 


aOO 


at3 


a12 


all 


alO 


Cyclic Shift 1 Byte Right 


a10 


al3 


al2 


a11 


a23 


a22 


a21 


a20 


Cyclic Shift 2 Bytes Right 


a21 


a20 


a23 


a22 


a33 


a32 


a31 


a30 


Cyclic Shift 3 Bytes Right 


a32 


a31 


d30 


a33 



43 



80 



55 



[0065] To p^rm the same cyclic shift as in Table 5, as shown In Table 7 right, the first row is not shifted, the second 
row is cyclically shifted 1 byte to the right, the third row Is cydlcally shifted 2 bytes to the right, and the fourth row Is 
cyclically shifted a bytes' to the right 

[0066] In order to perfomi this kind of Shift Row transformation processing for encryption, the intennediato value 
register/Shift Row transformation circuit ^hown in FIG. 5 Is used to switch and control the selectors, and to replace 
data at once, in 128-bIt units. 

[0067] For the first row. because a shift Is unnecessary, the selector positions of theseiectbrs 301 , 303, 306 and 307 
are set at "aV For the second row, because of the cycfic shift 1 byte to the right, the selector position of theselector 
311 is set at V, and the other selectors 31 3. 315, and 317 are set at selector position "b". For the third row, because 
of the cyclic shift 2 bytes to the right, the selector position of the selectors 321 , 323, 325 and 327 is set at "e". For the 
fourth row, because of the cyclic shift 3 bytes to the right, the selector position of the selectors 331 , 333, 335 and 337 
Is set at "c". 

[0068] By designating the output data being latched by the flip-flops In the intermediate value register/Shift Row 
transfomiatlon circuit prior to execution of the above-described Shift Row transfonnation processing as bOO through 
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b33 respectively, as shown in FIG. 5 the output data becomes latched to the output of the flip-flops in an array as shpwn 
in Table 8 right. 



[Table 8] 



Shift Row Transformation Operation Model 



10 



IS 



so 



Prior to Shift Row 



Subsequent to Shift Row 



b03 


b02 


bOI 


bOO 




b03 


b02 


bOI 


bOO 


b13 


bl2 


b11 


btO 


b10 


b13 


b12 


b11 


b23 


b22 


b21 


b20 




b21 


b20 


b23 


b22 


b33 


b32 


b31 


b30 


ba2 


b31 


b30 


b33 



[0069] For decryption, t>ecause processing Is executed from the right column as in Table 4, the data Is an-ayed as 
shown In Table 9 left. 



[Table 9] 

[ Decryption ] 



23 



BO 



35 



40 



43 



GO 



ado 


a01 


a02 


a03 


alQ 


all 


a12 


a13 


a20 


a21 


a22 


a23 


a3d 


a31 


d32 


a33 



Cyclic Shift 1 Byte Right 

CycHc Shift 2 Bytes Right 
Cyclic Shift 3 Byteis Right 



Post^rocessi n g 



aOO 


aOI 


a02 


a03 


a13 


alO 


all 


a12 


a22 


a23 


a20 


a21 


a31 


a32 


a33 


a30 



[0070] To perform the same cyclte shift as in Table 6, as shown in Table 9 right, the first row is not shifted, the second 
row is cydically shifted 1 byte to the right, the third row Is cyclically shifted 2 bytes to the right, and the fourth row Is 
cyclically shifted 3 bytes to the right. 

[00711 Therefore, as during the above-described Shift Row transformation for encryption, by setting the selector 
values of the selectors In the intemrtediate value register/Shift Row fransfomiation circuit and performing exactfy the 
same processing as the cycfjc shift for. encryption as shown In Tabfe 8, Shift Row transformation processing for de- 
cryption can be executed. 

[0072] In this way, the same Intermediate value regfeter/Shfft Row transformation circuft can be used for Shift Row 
transfonnatlon processing for both encryption and-decryption. IVIIx Column Transfonnation Circuit 
[0073] The IV] ix Column transformation circuit adopted in this, embodiment Is shown In FtG. 6. 
[0074] This Mix Column transformation circuit Includes 4 operatior» units, a tirst operation unit 351 ;a second operation 
unit 352, a third operation unft 353 and a fourth operation unit 354. The first -opergftlpn unit 351 comprises aflrst mul- 
tiplication unrt 381 , a second multiplication unit 362..a third multiplication unit 363, and a fourth multiplication unit 364. 
each of which execute^s operations In B-bIt units, and an XOR circuit 365 that XORs the outputs of the multiplication 
units 361 through 384. The second operation unit 352, third operation unit 353, and the fourth operation unit 354, which 
are not shown In the figure, also have a first through fourth multiplication unit end an XOR clitnilt. 
[0075] When a column J comprising (aOj, a1 j, a2J, a3j) is transfomied Into a column comprising (bOj, bij, b2j, t>3]), 
the data (bOj, bij, .b2J, b3j) of column j after transformation can be expressed as follows. 
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Encryption 
[0076] 

5 

bOJ = 02*a0j + 03'*a1 J + 01 *a2j + 01 *a3J 



bij = 01 *aOj ^ 02*a1j + 03*a2j + 01 *a3j 
b2j = 01*aOj + oralj + 02*a2j + 03*a3j 



^5 b3j=03*aOj + Ora1J + 01*a2j + 02*a3j . 

Decryption 
10077] 

. bOj = OE*aOJ + 0B*a1j + 0D*a2j+09*a3j 



23 . b1j = O9*a0j + OE*a1j + 0B*a2j + 0D*a3j . 

b2J = 0D*a0j + 09*a1 j + 0E*a2j + 08^a3j 

30 

b3j = 0B*aOj + 0D*a1j +. 09*a2j + 0E*a3j 
10078] . The coefficients by which each column is. murtipKed are described as hexadecimal. 

[0079] To execute this Mix Column transformation processing, the 32-blt data columns ar6 Inputted Into the first 
35 through fourth operation units 351 through 354, respectively, and muitipijcatlon by the first through fourth operation 
units 361 through 364 and the operation by the XOR circuit are performed. . ■ ' 

[0080] The mumpllcatlon units 361 through 364 of the operation units 361 through 361 are provided with a coefficient 
for encryption and a cbefficfent for decryption, so that they can be used for both encryption and decryption, and they 
are constituted so that selection of a coefficient can be made during operations. 
40 [0061] The firgt multiplication unit 361 of the operation unit 351 can multiply Inputted data by either 0x02 or OxOE. 
The second multiplication unit 362 can multiply inputted data by either 0x03 or OxOB. The third multiplication unit 363 
can multiply inputted data by either OxOi or OxOD. The fourth multiplication unit 364 can multiply inputted data by either 
0x01 or 0x09. 

[0082] The first multiplication unit of the secorKl operation unit 352 can mimiply Inputted data by either 0x01 or 0x09. 

45 The second multiplicatlpn unit can mpuftiply Inputted data by either 0x02 or OxOE. The'thlrd multiplication unit can multiply 
inputted data by either 0x03 or OxOB; The fourth multiplication unit can mu Riply inputted data by either 0x01 or OxOD. 
[0083] The first rifiultlplicatlon unit of the third operation unit 353 can multiply Inputted data by either' 0x01 or OxOD. 
The second multiplication unit can muftipty inputted data by either 0x01 or 0x09. The third multiplication unit can multiply 
Inputted data by either 0x02 or OxOE. The fourth multlplicalion unit can muftlply Inputted data by either 0x03 or OxOB. 

so [0084] The first multiplication unit of the fourth operation unit 364 can mult^ly inputted data by either 0x03 or OxOB. 
The second multiplication unftcan multiply inputted data by either 0x01 or OxOD. The third multiplication unit can multiply 
inputted data by either 0x01 or 0x09. The fourth multiplication unit can mult^ply Inputted data by either 0x02 or OxOE. 
[0085] By charging the coefficients used for encryption and for decryption In the first through fourth multiplication 
units of the first through fourth operation units 361 through 354, the same circuit constitution can be shared for both 

S3 encryption and decryption. Multiplication Units of the Mfoe Column Transformation Circuit 

[0086] An example of the multiplication unte Included In the Mb( Column transformation circuit is shown in FIG. 7. 
[0087] yr\e multiplication units multiply Inputted S-bit data (a7. a6. a5. a4, a3, a2, a1 , aO) with a coefficient (b3, b2, 
b1. bO). For this, partial product operation units 375 through 378 are provided, which multiply the 8-bit data (a7, a6, 
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aS. a4. 83. a2, a1 , aO) with each bit of a coefficient (b3, b2, b1 , bO). Also provided are: an addition unit 371 that shifts 
the result of the partial product unit 376 1 bit and adds this to the result of the partial product unit 375, which multplies 
using the highest bit of a coefficient; an addition unit 372 that shifts the resultant of the partial product unit 377 1 bit 
moreover and adds this; and an addition unit 373 that shifts the resultant of the partial product unit 378 1 bit moreover 
5 and adds this. There is also provided a dhrlsion unit 374 Into which the resultant of the addition unit 373 and overflow 
carried over from the addition units 371 to 373 are inputted and divided by a divisor. 

[0088] With this constitution, by selectively setting as the coefficient (b3. b2, b1 , bO) a coefficient for encryption and 
a coefficient for decryption, the mixed column transformation processing can be used both for encryption and tor de- 
cryption. 

10 [0089] As described above, there are 2 coefficients, set as (b3, b2, b1 , bO). established for each multiplication unit. 
There are 4 combinations of coefficients in the multiplication units, namely» (0x02, OxOE), (0x03, OxOB), (0x01. OxOD), 
(0x01, OxC9). When these are expressed as 4 low order bits, they beconne (0010. 1110). (0011, 1011), (0001. 1101), 
and (0001 , 1 001 ). The operations for common bits in these coefficients do not perform control of the partial products; 
rather, the operations for different bits control the addition processing; this allows the circuit to be reduced In scale. 

fs [0090] For example, when the coefficients are the combination (0x01 , OxOD), they become (0001 ,1101 ) when ex- 
pressed in binary; by controlling whether or not the result of the addition of the partial product of the 2 upper bits is 
added to the partial product of the lower 2 bits, the selection and multiplication of 2 coefridents becomes possible. FIG. 
B shows the circuit constitution for the coefficient combination (0x01 , OxOD). 

[0091] in FIG. 8, a f irst addiUon unit 381 that shifts inputted 8-bIt data (a7, a6, a5, a4, a3, a2, a1,aO) 1 bit and executes 
20 addition processing thereupon. The output of the first addition unit 381 is inputted Into a second addition unit 383 via 
a control logic circuit 382, Th is second addition unit 383 adds the result of the partial product operation by the uppermost 
bit of the coefficient, and it is constituted to shift inputted O-bit data 3 bits and execute addition processing thereupon. 
[0092] A division unit 384 is provided into which the resultant of the operation of the addition unit 383 and the overflow 
carried over from the first addition unit 381 and the second addition unit 383 are inputted and divided- by a divisor. 
25 [0093] The control logic circuit 382, when a coefficient is 0x01 , does not output the output of the addition unit 381 , 
which is an upper 2-bIt resultant. The control logic circuit 382 may be constituted so that, when a coefficient is OxOD, 
the output of the first addition unit 381 , which is an upper 2 bit result, Is outputted to the addition unit 383 
[0094] Because the multiplication perfomied here is multiplication over GF (28) where the irreducible polynomial Is 
M(x) = xfi + x*4-x3 + x4-1, and the addition is over GF(2), they can be achieved with an XOR operation. 
30 [0095] In this manner, by controlling the addition of partial products in diffenent bits of 2 coefficients, the circuit scale 
can be made smaller, enabling reduction of the scale of circuit. Key Schedule Unit 
[0096] FIG. 9 shows the circuit constitution of the Icey.. schedule unit. 

[0097] The key schedule unit comprises, primarily, an expanded key generation logic unit 101 , an expanded Icey. 
register 120 and a key Input register 131. . 
^ . [0098] The key input register 1 31 is a 256-blt re^ster comprising 8 32-bit registers kO through k7. and a cipher key - 
is stored in 32-bit units starting from register kO and proceeding in order therefrom. When the cipher key is 256 bits, 
da:ta is stored in all the registers kO through k7; when the cipher key is 192 bits, data is stored in registers kO through 
kS, and when the cipher key is 1 28 bits, data js stored in reglsteiB kO through k3. 

[0099] A selector 132 that selectivefy. outputs one value from the registers kO through k7 is connected to the key 
40 Input r9glst©r 131. This selector 132 selects 32 bits of data from the 256-blt data of the key- Input register 131 and 
inputs this at the lowest position of the expanded key register 120, 

[0100] the expanded key register 120 is a shift register to which are connected In series 8 flip-fk>ps 121 through 
128, which are capable of processing in 32-bit units. Inputted into the flip-flop 128, whteh Is at the lowest position, is 
the output of the selector 1 1 3, which selects the output of the selector 1 32 and the output of the expanded key generation 
4s jogic unit 1 01 . The output W7Key of the flip-flop 128 Is hputted into the flip-flop 1 27. The output W6Key of the filp-flop 
127 is frpuned Into the selector 112, which is at the stage previous to the flip-flop 128. Inputted into the selector 112 
Is the output W6KEY of the flip-ftop 127 and the output of the expanded key generation logic unit lot, and one of these 
is Inputted Into the flip-flop 126. 

£0101] the output W5KEY of the flip-flop 126 is inputted Into the flip-flop 125. The output W4Key of the fRp-flop 125 
SO isinputted&itotheselectorlll, which Is at the stage previous to the flip-flop 124. Inputted Into the selector 111 Is the 
output W4KEY of the flip-flop 1 25 and the output of the expanded key generation logte unit 1 01 , and one of these is 
Inputted into the flip-flop 124. 

[0102] The output W3KEY of the flip-flop 124 is inputted Into the flip-flop 123. The output W2KEY of the flip-flop 123 
Is Inputted into the flip-ftop 122. The output W1KEY of the flip-flop 122 Is inputted into the flip-flop 121. 
S5 [01 03] The expanded key generation logic unit 1 01 Includes a ROM 1 02 in which an expanded key generation con- 
stant Rcon is stored, an AND circuit 103 that ANDs a value read out from the ROM 102 and a signal RCON.EN. and 
an XOR circufi 1 04 whk:h XORs the WOKEY of the fl{p-fk>p 1 21 positioned at the top of the expanded key register 1 20 
and the output of the AND circuit 1 03. which have been inputted therein. 
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[0104] The expanded key generation logic unit 101 also includes a selector 1 05. into which the flip-flop 122 output 
W1KEY. the flip-flop 124 output W3KEY, the flip-flop 126 output W5KEY, and the flip-flop 128 output W7KEY are In- 
putted, and which selectively outputs one of these. The output of the selector 105 is inputted into the Rot Byte circuit 
106. which rotates data, the selector 107. and selector 1 09. The output of the Rot Byte circuit 106 and the output of 

5 the selector 1 05 are inputted Into the selector 1 07, which supplies one of these to the Sub Byte circuit 1 08. The Sub 
Byte circuit 10B executes Byte Subtransfonnatlon processing In 32-bit portions. aiKl supplies the output thereof to the 
selector 109. Into the selector 109 are Inputted the output of the Sub Byte circuit 108 and the output of the selector 
105, one of which it outputs. The expanded key generation logic unit 101 also Includes an XOR circuft 110. The output 
of the XOR circuit 1 04 and the output of the selector 1 09 are Inputted into the XOR circuit 110. which then XORs these 

10 outputs. 

[0105] A key schedule unit thus constituted includes such functions as: 1) generation of the expanded key used In 
the Round Key Addition processing of the round function unit; 2) rewrite of the key input register during encryption, 
and setup of the expanded key Initial value following completion of encryption and decryption; and 3) setup of expanded 
key initial value following rewrite of the key input register during decryption. 

IS [0106] The round keys used In Round Key Addition processing of the round function unit must total 15, from the 
Initial round key and round key 01 through round key 14, when the key length Is 256 bits. Each round key Is made up 
of 128 bits, In correspondence with the processing block length; In order to assign the round keys to the 32-blt expanded 
key segments generated by the key schedule unit, a total of 60 expanded key segments WOO through W59 are required. 
These expanded key segments WOO through W59 are used in the order W00->W69 for encryption, and In the order 

so W59->W00 for decryption. In this embodiment, as shown in Table 10, expanded key segments are generated in the 
order W00-^WS9 for encryption, and in the order W59-^vy00 during decryption. 
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[Table 10 J Expansion Key Schedulo CThis Example for 256-Bit Key Leneth) 
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[0107] The expanded key segment W08 for encryption, in accordance with the formula W08=W00^ub Byte(Rot 
Byle{W07))ARco n[1 ], is obtai ned by XORing WOO , Sub Byte(Rot Byte(WG7) and thoconslant Rcon[1 ]. Because A^A=A, 
the expanded key segment WOO can be expressed as WO0=Woa^ub Byte(Rol Byte{W07))^RconI1]. nneaning that 
WOO can be generated Ifom W08 and W07. Th us, for decryption, first W00=>W59 are generated, and then In the order 
that is the inverse of encryption, I.e., W58=>W00, expanded key segments are generated. In this manner, there is no 
need to store ail the expanded keys for decryption In memory, making possible decryptton processing wherein only 
the expanded key segments needed for each round are generated. 

[0108] An explanation will first be given the generation of expanded key segments for the Round Key Addition 
function of the round function unit 

[0109] As shown In Tablo 1 0, in the Round Key Addition function in each rounds 4 expanded key segments having 
32 bits are used; because expanded key operations are pert omied bi the background of the Mix Column transf omnabon 
4- Round Key Addition function of the round function, 4 expanded key segments may be created In 4 cycles. For this 
reason, in a circuit constitutton as shown in FIG. 9. 1 expanded key segment Is generated in 1 cycle. The expanded 
key segment register 120 comprises a shift register, and the.expanded key segments cun^ently being used In a round 
function use the output WOKEY of the flip-flop 1 21 . 



16 

PAGE 20/135 * RCVD AT 6if5/2006 5:11:15 AM [Eastern Daylight Time] * 8VR:U8PTO-EFXRF-6M6 * DNI8:273S300 * C8ID:6«1460-1986 * DURATION (miT»4s):83^ 



6/5/2006 3:11 AM FROM: 661-460-1986 Huffman Patent Group* LLC TO: 1-571-273-8300 PAGE: 021 OF 135 



EP.1 271 839 A2 

[0110] The selector 105 (SEL^B) of the expanded key generation logic unit 101 , as shown (n Table 11 . is controlled 
so as to switch depending upon 2 different types of conditions, namely, key length and encryption/decryption. The 
selectors 111 , 112. and 11 3 (SEU_E through SEL_G), into which the output of the expanded key genoration logic unit 
101 Is Inputted, are set based on key length, as shown In Table 12. However, when a cipher key Is inputted as an initial 
value, "b" Is sele<*ed as the selector position for the selectors 111 through 113. The selectors 107 and 109 (SEL_C, 
SEL-D), as shown in Table 13, are controlled so as to switch depending upon the expanded key generation logic. The 
ROM 1 02 stores the constant Rconp], which is inputted to the XOR circuit 1 04. and the constant Rcon[i] conrespondmg 
to the address "1" is stored as shown in Table 14. 
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[Table 111 



SEL_B Control 


Key length 


Encryption 
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[Table 13] 



SEL^C, SEL_D Control 
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Rcon ROM Table 


Rcon_Addr 


Hex 


Bin 


01 


0x01 


0000^0001 . 


02 


0x02 


oood_ooio 


03 


0x04 


0000.01 00 


04 


0x08 


0000.1000 


05 


0x10 


0001_0000 


06 


0x20 


OOlOJWOO 


07 


0x40 


0100^0000 


08 


0X80 
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[Table 14] (continued) 
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Rcon ROM Table 


Rcon^Addr 


Hex 


Btn 


09 


0x1 B 


0001J011 


10 


0x36 


0011.0110 



[0111] An explanation will be given of circuit operations when the key length is 256 bits, as shown In Table 1 0. Prior 
to operation of the round function, through the loading of the values of the registers kO through k7 of the key Input 
register 131 , the initial values from No. 00 through No. 07 are set in the flip-flops 121 through 128 of the expanded key 
register 120. 

[0112] The expanded key segment W08 tor encryption Is computed, as shown In Table 10, with the operation 
W08=W0O^Sub Byt6(Rot Byte(W07))ARcon[1 ). At the beginning of this operation W08=W00^Sub Byte(Rot Byte(W07)) 
'^Rcon[1]. woo is set at the output WOKEY of the flip-flop 121 and Inputted into the XOR circuit 104. W07 Is set at the 
output W7Key of the flip-flop 1 28. and this W07 is inputted into the selector 1 05 (SEL_B). 

[01 1 3] The Rcon address of the ROM 1 02 is nfiade "1 " and the signal RGON_EN to be Inputted into the AND circuit 
i 03 is enabled; the Rcon[1)AW00 operation Is perfonned by the XOR circuit 1 04, and the result thereof is Inputted Into 
the XQR circuit 1 1 0. Meanwhile, W07, having passed through the selector 1 05 (SEL^B), Is processed by the Rot Byte 
circuit 1 06 and the Sub Byte circuit 1 08; the result of the Sub Byte(Rot Byte(W07)) operation is inputted Into the XOR 
circuit 110. Thus the XQR circuit 110 performs the W08=w6o^Sub Byte(Rot Byle(W07))ARcon[1] operation. 
[01 1 41 An explanatton will next be given of the expanded key segnnent W09=W01 '^WOB operation processing. At the 
beginning of the W09=W01 '^W08 operation, Wol Is set at the output WOKEY of the flip-flop 1 21 and then inputted Into 
the XOR circuit 1 04. W08 is set at The output W7KEY of the flip-flop 128, and Inputted Into the selector 1 05 (SEL_B). 
The signal RCON_EN to be inputted Into the AND circuit 1 03 Is disabled, and WOl to be inputted from the f llp-llop 1 21 
is set so as to inputted Into the XOR circuit t10. At this time, the selector 109 (SEL_D) Is set at selector position "b", 
and W08, having passed through the selector 1 05 (SEL_B), is inputted into the XOR circuit 110. . 
[01 1 5] Thus the XOR ctrcufl 110 perfomis the W09=W01 ^WOS operation. The operations for W1 0, Wll and W13 
through W15 are perfonned along the same path. 

[0116J The expanded key segment W12 operation processing will now be explained. The expanded key operation 
W1 2=W04ASub Byte(W1 1 ) Is perfonned; at the beginning of this operation, W04 Is set at the output WOKEY of the flip- 
flop 121, and inputted Into the XOR circuit 104. W11 is^et atthe output W7KEY of the flip-flop 128. and Inputted into 
the selector 106 (SEL_B). The signal RCON_EN to be Inputted into the AND circuit 103 is disabled, and W04 is set 
so as to be inputted into the XOR cinsuit 1 04. Meanwhile, the selector position of the selector 107 (SEL^C) is set at 
^'b", and W11 , having passed through the selector 1 05 (SEL_B), Is Inputted into ttie Sub Byte.circult 108 via the selector 
107 (SEL.C). Thus the Sub Byte circuit 108 perfonms Sub. Byte processing, and the result of the Sub Byte(W11) 
. operation is inputted Into the XOR circuit 110. Thus the XOR drouit 1.10 perfonns the W12=W04^ub Byt6(Wi1) op- 
eration. 

[0117] In the above manner, operations for all the expanded key segments are performed. 
[01181 Next, an explanation will be made of the rewrite of the key input register 131 for encryption and the setup of 
the expanded key Initial following comjsletion of encryption and decryption. This setup operation Is an operation In 
preparation for the subsequent encryption or deciyptJon, in whkdi an expanded key initial value Is transmitted to the 
expanded key register 120. 

[0119] An expanded key initial value set at the key input register 131 undergoes 32-bit unit data selection by the 
selector 132 (SEU-A). and Is set at the expanded key register 120 ^ the selection position "b" of the selector 113 
(SEk.G); The e^anded key register 120 is constftuted as the shift register descrft^ed above, shifting, data along the 
direction of flip-flop 128 (FF7) => flip-ftop 127 (FF6) => fDp-ftop 128 (FF5) => flp-flop 125 (FF4) ^ flip-flop 124 (FF3) 
=> fBp-fiop 123 (FF2) => flip-flop 122 (FF1) => flip-flop 121 (FFO), transmitting all the expanded key initial values in 8 
cycles. The key input data to be selected by the selector 132 (SEL_A) is in the order of the reglsteiB kO, k1 . k2, kS, k4, 
k5, k6, k7 of the key input register 131 . 

[0120] An explanation will be given of expanded key Initial value setup following the rewrite of the key input register 
1 31 for decryption. As shown In Table 10, In decryption, the expanded k^ Initial value must be made the final expanded 
key segment set during encryptioPp namely WS9 through W&2. Through the rewrite of the key input register 1 31 , the 
data that Is set at the key input register 131 Is, in the manner described above, first transmitted to the expanded key 
register 120, and In accordance with the expanded key generation logic for encryption, the circuit of FIG. 9 is caused 
to operate up through the final expanded key segment s^, namely W52 through W59. 

[01 21 ] As this final expanded key segment set is being generated, during generation of W52, W52 is transmitted to 
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the register k7 of the key Input register 131 ; during generation of W53, W53 is transmitted to the register k6; during 
generation of W54. W54 Is transmitted to the register k5: during generation of W55, W55 Is transmitted to the register 
k4: during generation of W5fi. W5B is transmitted to the register k3; during generation of W57, W57 Is transmitted to 
the register k2; during generation of W58, WSa is transmitted to the register k1; during generation of W59. W59 Is 
5 transmitted to the register kO; thus the final expanded key segment is set In the reverse order In the key input register 
1 31 . Moreover, by transmitting the finat expanded key segment set of the key Input register 131 to the expanded key 
register 1 20 In the manner described above, the setup of the expanded key initial value following the rewrite of the key 
input register during decryption is completed. 

[0122] Thereafter, the selector 1 05 (SEL3)» selector 1 07 (SEL_C), selector 109 (SEL_D), and selectors 111 through 
10 113 (SEL_E through SEL_,G) are set at selector positions as shown in Tables 11 through 13, and the expanded key 
segments needed for decryption are generated In order. Shared Use of the Byte Sub Transfomnation Qrcult 
[0123] Because the above-described Sub Byte processing of the key schedule unit and Byte Sub transformation 
processing of the round function unit both execute Byte Sub tnansfomiation processing in 32-bit units, a single circuit 
can be used for both these processings. 
IS [0124] For example, let us consider using the Byte Sub cfrcuit 108 provided In the key schedule unit shown in FIG. 
9 as the Byte Sub transfomiation circuit ot the round function unit. 

[0125] The input BSIN Into the Byte Sub circuit 207 from the intennedlate reglster/Shlft Row transfomiation circuit 
206 In the round function unit shown in RG, 4 connects with selector position "c" of the selector 107 of the expanded 
key generation logic unit 1 01 shown In FIG. 9. The output from the Sub Byte circuit 1 08 of the expanded key generation 
so logic unit 1 01 connects to the selector 203 as the output BSOUT of the Byte Sub transfonnation circuit 207 of FIG. 4. 
[0126] When using the Sub Byte circuit 108 to perfonn Byte Sub transfonnation processing, as shown In Table 13, 
with the selector position of the selector 107.<SEL_C) at "c", the selector position of the selector 1 09 (SEL.D) is set 
at "b". In thte manner, the Sub Byte circuit 1 08 of the expanded key generation logte unit 1 01 can be used to execute 
the Byte Sub transformation processing of the round function unit. Byte Sub Transfomnation Circuit Byte Sub transfor- 
ms mation processing is a combination of an inverse operation in 8-blt units and a matrix operation; for encryption, after 
the perfomiance of an inverse operation, a matrix operation is performed; for decryption, after the performance, of a 
matrix operation, an inverse operation Is performed. In order to implement such Byte Sub transfonrriiatlDn processing 
using a common circuit for both encryption and decryp^on, a circuit as shown in FIG. lo.ls hereby proposed. 
£01 27] A Byte Sub transfonmation circuit 391 as shown in FIG. 1 0 comprises a matrix ^Deration circuit for decryption 
30 392, a selector 393. an inverse operation circuit 394. a nnatrbc operation for encryption 395, and a selector 396. 

[0128] The selector 393 is constituted so that Input data and the output of the Inverse (deration cin:ult 392 are 
inputted thereln. of which one is inputted to the Inverse operation circuft 394. The selector 396 Is constituted so that 
the output of the inverse operation circuit 394 and the output of the matrix operation for the encryption circuit 395 is 
Inputted therein, of which one is outputted. 
35 [0129] During encryption, the selector 393 Is on the Input data side, and the selector396 Is on the matrix operation 
for encryption 395 side. During. decryption,. the selector 393 is on the matrix operation for decayption 392 side, and the- 
selector 398 is on the inverse operation drcuil 394 side. In this manner, Byte Siib transfornfiatlon processing for en- 
cr^tion and Byte Sub transfonmation processing for decryption can be aocomplrshed using a common circuit constN 
lution. 

40 [0130] The matrix operation tor encryption can be expressed as the following expression 1 . 
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[0131 J , As this Is expanded, It can be expressed as the following expression 2. The below means an XOR oper- 
ation.- 

^ lExpression 2 J 
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[0132] The malrix operation for decryptiori can be expressed as the following expression 3. 

SB 
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[Expression 3] 
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[0133] As this te GlmDarly expanded, It can be expressed as the foitowing expression 4. 

25 , .• 



[Expression 4] 

+ Xg > x, + 1 

X, + X4 ' . + X7 + 1 

■ +Xa. ■•. •> Xg '.' 

•X, . • + 'Xj ' + Xj 

Xj + X4 . + x, 

+ Xa + Xg 
xi ' + X4 ■ .• • + Xs . 

[0134] An example of a matrix operation circuit for encryption Is shown In FIG. 11 . 

[0135] This drcuft comprises an 8-bit \r^)ut register 401 , an output register 403, and a logic circuit 402 comprising 
«o XOR and NOT gates. The execution of the XOR operation shown in expression 2 for encryption can be achieved 
through 16 XOR gates arxJ 4 NOT gates by having XOR circuits in the logic cimuit 402 share overlapping operations. 
[0136] An example of a matrix operation cincuh for decryption Is shown in FIG. 1 2. 

[01 37] Similar to the matrix operation circuit for encryption, this circuit corr^iisea an 8-bit input register 405. an output 
register 407 and a logic circuit 406 conrprteing XOR and NOT gates. As with ttie matrix operation circuit for encryption, 
55 the execution of the XOR operation shown in esqiree&lon 2 for encryption can be achieved through 1 3 XOR gates and 
2 NOT gates by having XOR circuits in the logic drcuft 406 share overlapping operations. 
[0138] Another example of a matrix operation clicuh for encryption Is shown In FIG. 13. 

[0139] This matrix operation circuit for anciyption comprises an input register 411. an output register 414, a shift 
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register for holding constams413, and a togicclrcult41 2 comprising XOR circuits. The input reglster411 , output register 
414 and a register for holding constants 413 are ail 8-blt shift registers that are synchronized with a clock to make 
cycflc shifts 1 bit to the right. 

[0140] The constants In the first right column of expression 1 are constituted so that each line has 3 O's and 5 1's 

5 and shuts 1 bit at a time. Then, as bits xO. x4, x5. x6. x7 of the Input register 411 are cyclically shifted, they are Inputted 
Into the logic circuit 41 2 and XORed; thus the matrix operation of the first right column of expression 1 is performed. 
[01 41] The constants in the second column from the right In expression 1 atB set in the register for holding constants 
413, starting f nam the lower bits. As the values of the register for holding constants 41 3 are cycicaliy shifted , the values 
of the lowest^jrder bits are inputted Into the logic circuit 412 and XOR operations are performed; thus the matrix 

10 operation of the second column from the right of expression 1 is perfonned. 

[0142] When data Is set at the Input register 411 in this manner, at the first clock cycle operations are performed on 
yO, and the result is then stored In the output register 41 4, At the next clock cycle operations are perfomied on y1 , and 
the result Is then stored in the output register 414. Operations are then performed In order so that with 8 clock cycles 
the operations on (y7, y6, yS, y4, y3 y2, y 1 yO) are completed. The logte circuit 41 2 can in this case execute the operation 

IS processing of expression 2 using 5 XOR circuits. 

[0143] An example of another matrix operation circuit for decryption, wfth a similar constitution, is shown in FIG. 1 4. 
[0144] This matrix operation circuit for deiciyptlon comprises an input register 415, an output register 41 8, a register 
for holding constants 417 and a togfc circuit 41 6 comprising XOR circuits. The input register 41 5, output register 41 8, 
and registerforhoWirig constants 417 are all B-bIt shift registers that are synchronized with a clockto make cydfcshift^ 

^ 1 bit to the right. 

[0145] The constants in the first-right column of expression 3 are constituted so that each line has 3 0*s-and 5 Vs 
and shifts 1 bit at a time. Then, as bits x2, x5, x7 of the input register 415 ai-e cyclically shifted, they, are inputted into 
the logic circuit 41 6 and XORed; thus the matrix operation of the first right column of expression 3 is perfonned. 
[01 46] The constants In the second column from the right In expression 3 are set In the register for holding constants 
417, starting from the lower bits. As the values of the register for holding coristants 417 are cycitcaily shifted, th© value 
of the iowest-order bits is inputted into the logiccircult 41 6 and XO R operations are performed; thus the matrix operation 
* of the second column from the right of expression 3 is jDerformed. 
[01 47] When data is set at the input register 41 5 in this manner, at the first clock cycle, operations are performed on 
yO. and the result Is then stored in the output register 418. Operations are then perfomied in order so that with 8 clock 
SO cycles the operations on (y7. y6. y5. y4. y3 y2. y1 yO) are completed. ThQ logic circuit 41 3 can in this case execute the 
operation pnx:essing of expression 4 using 3 XOR circuits. 

[01 48] The use of the present mention enables the implementation of the AES block cipher algorithm In a compact 
circuit through the division of data to be processed by specified circuits into predetemnined execution block lengths. 
Also, through the sharing of cfrtsuils for processing for encryption as circuits for processing for decryption^ as well as 

^ . • the sharing of some circuits by key schedule unit and the round function unit, the scale of circuit can be further reduced. 
[0149] While only selected embodiments have been chosen to illustrate the present Invention, to those skilled in the 
art It will be apparent from this disclosure th at various changes and modifications can be made herein without departing 
from the scope of the Invention as defined In the appended claims. Furthenrwre, the foregoing description of the em- 
bodiments according to the present Invention is provided for Illustration only, and hot for the purpose of limiting the 

40 Invention as defined by the appended claims and thieJr equivalents. 

Claims 

45 1 . An encryption circuit that generates from a cipher key a plurality of round keys having a number of bits con-espond- 
Ing to a predetermined processing block lengtii and executing, for each processir^ block length, Irfput data and 
round key encryption/decryption processing, by means of a round function unit comprising an XOR operation unit 
that XORs the input data and one of the round keys and a round processing unit that iterates round processing 
. that includes Byte Sub transfonnation, Shift Bow transformation, IMIx Column transformation and Round Key Ad- 

so ditlon, wherein: • • 

said round processing unit comprises: 



55 



a first selector that segments input data into execution block lengths smaller than said processing block 
length; a first Round Key Addition circuit that adds said round key value to input data for each. said exe- 
cution block length; 

an intemiediate register/Shift Row transformatk)n circuit that temporarily stores the output of said first 
Round Key Addition circuit and executes Shift Row trarisformation using said processing block length; 
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a Byte Sub transformation circuit wherein 

said intermediate register/Shift Row transfoimation circuit value is inputted for each said execution block 
length end Byte Sub transformation Is executed; a second Round Key Addition circuit wherein 
said intennediate register/Shift Row transformation circuit value is Inputted for each said execution block 
B length and satd round key value Is added for each sakj execution block length; 

a Mix Colunnn transformatk>n circuit executing Mix Column transfonnatton on the output of said second 
Round Key Addition circuit; and 

a second selector that outputs to said first RoUnd Key Addition circuit one output from among the outputs 
of said first selector, intemnediate register/Shift Row transformation circuit, Byte Sub transformation circuit, 
^0 or Mix Column transfomialion circuit 

2. An encryption circuit according to claim 1 wherein said execution block length is a multiple of 8 bits. 

3. An encryption circuit accordng to claim 1 , wherein said processing block length Is 128 bits and said executk)n 
IS block length Is 32 bits. 

4. An encryption circuit according to claim 1 » wherein the key length of the cipher key is any of 128 bits, 1 92 bits or 
■ 256 bits. 

^ 5. An encryption circuit according to claim 1 , wherein: 

said Byte Sub transformation circuit, comprises a matrix operation unit for decryption that executes a matrbc 
operation on input data; 

a third selector that outputs either the Input data or the output of said matrix operation unit for decryption; 
^5 an inverse operation unit for executing an inverse operation on the data outputtedfrom said third selector; a 

matrix operation unit for encryption that executes a matrix operation on the data outputted from said inverse 
operiation unit; and a fourth selector that outputs either the output of said Inverse operation unit or the output 
of said matrix operation unit for encryption. 

30 6. . An encryption circuit according to daim 5;. wherein said matrix operation unit lor decryption and said matrix oper- 
~ ation unit for encryption comprises an XOR circuit so as to perfonn 8-bft operations at one dock cycle. 

7. An encryption circuit according to claim 5, wherein said matrix operation unit lor decryption and said matrix oper- 
ation unit for encryption conriprises an XOR circuit so as to perfomn 1 -bit operations at one ck>ck cycle. 

35 

' 8, Ah encryption circuit according to claim 1 , wherein said intemiediate register/Shift Row transfonnation circuit can 
be used for both encryption and decryptton through the reversal of order of input of shift data relating to amount' 
of shift for data to be inputted into said intemnediate register/Shift Row transfonmation circuit, the Input order for 
decryption Iseing the reverse of the order for encryption. 

40 ' 

d. ' An encryption circuit according to claim 1 , wherein said Mix Column. transformation circuit comprises a plurality of 
mulliplicatlbn units with unique multipliers and an XOR circuit that performs XOR operations for said plurality of 
multiplication units, said Mix Column transformation circuit executing a matrix operation between data inputted 
Into each multiplk;ation unit and the multiplier established for each multiplication uniL 

45 

10. An encryption circuit eocordlhg to claim wherein said Mbc Column transfomiatlon circuit comprises 4 operation 
units having 4 multiplicatkin units capable of 8-blt unit operattons and XOR circuits that execute XOR operations 
based on the outputs of sakj 4 multlpDcadon units. 

^0 11 . An encryption circuit according to daim 9, wherein said muttlpiication units can control 2 multipliers and are used 
for both encryption and decryptk)n. 

12. An encryption circuit according to claim 11, wherein said multiplication units are constituted to control addition 
values from high -order bits. 

55 

13. An encryption circuit according to daim 1 having a key expansion schedule circuit that generates from said cipher 
key, as an expanded key segmented into bit numbers con'esponding to said execution block length, a plurality of 
round keys with bit numbers corresponding to a predetermined processing block length; the key expansion sched- 
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ule circuit comprising: 

a fifth selector that segments a cipher key Into the nunriber of bits corresponding to said execution blocic length 

and outputs the same; 

a shift register to which flip-flop circuits are connected at a plurality of stages, said flip-flop circuits latching 
data In units of said execution blocic length; 

a first XO R circuit that XORs the output of the final stage flip-flop circuit of said shift register with one constant 
selected. from among a group of constants; 

a sixth selector into which are Inputted the oulputs of those ffip-flops of said shift register that are involved in 
operations for encryption and the oulputs of those flip-flops involved In operations for decryption, and which 
sele<^vely outputs one of these; 

a Rot Byte processing circuit that rotates the output of said sixth selector, 

a seventh selector into which the output of said sixth selector and the output of said Rot Byte circuit is inputted 
and which selectively outputs one of these; 

a Sub Byte processing circuit that executes Byte Sub transformation on the output of said sevenm selector 
. for each said. execution blocl< length; 
aneighthselectorinto which the output of saidsixth seiectorandtheoutput of said Sub Byte processing circuit 
are inputted, and which selectively outputs one of ttiese; 

a second XOR circuit that executes an XOR operation based on the output of said first XOR circuit and the 
output of said eighth selector; and 

a shift register unit selector that selectively outputs, to those flip-flops of said shift register the outputs of which 
are subjiect to operations for encryption, either the output of eaid second XOR circuit or the output of the 
adjacent stage flip-flop. 

14. An encryption cihwjil according to clatm 1 3, wherein said shift register comprises 8 f iip-flops executing data process- 
ing in 32-bit units, and said sixth sQlector Is constihjted so that the outputs of the second, fourth, sixth and eighth 
flip'flops from the bottom from among said fnp-flo|>s are Inputted therein, and that it outputs one of these. 

15. An encryption circuit according to claim 13, wherein through the Input into said seventh selector of the output of 
said Intennediat© ragister/Shlft Row transformation circuit and the input into said second selector of the output of 
said Sub Byte processing circuit, a single circuit can be used for said Sub BytQ processing circuit and said Byte 
Sub trarisfonnatlon circuit of said round processing unit. 



40 
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Key Lmgth = =^ 1 28brt or 1 92btt 

KoyExpanslon<bytoKey C4*Nk] word W [Nb * ( Mr + 1 )] 



for(i = 0;i<Nk;rH-) 

W [ n = { K ey [ 4 * I ] . Key [ 4 * I + 1 ] . Key [ 4 * i + 3 3 ) ; 
f or ( i = Nk : i < Nb * ( Nr + n ; i 4+ ) 



I 



temp=wri-t ]; 

temp = Sub Byta( RotByt8(tenip))"Bcon [i/ Nk] ; 
Wli] = WCi-.Nk]"tefnp; 



Key Length = = 256bit 

KeyExpansioni ( byte Key £ 4 * Nk] woH W [ Nb * ( Nr + 1 ) ] 

for(l = 0;i<Nk;i'*H-) . 

W[U = (Key [4* i].Key C4'*'i + 13 .Key [4* I + 3 3 ) ; 
for < i = Nk ; l< Nb ♦< Nr + 1) : l+f) 

I ■ 

tBmp=:W[i-1 ]; . . 
if (i%Nk = = 0) 

temp = Sub Byte ( Rot Byte ( temp ))" Rcon C i / Nk 3 ; 
elsojf (.i»Nk = =^4) 

temp = Sub Byte ( temp ) ; 
W[l]=W[i-Nk3"temp: . 

} 

J 



Fig . 2 



26 

PAGE 3(W135* RCVD ATe/»200e 5:11:15 AM [Eastern DayOghtTlme] * 8VR:U8PTO-EFXRF-eM6 • DNI8:2738300 ' 0810:661^460-1980 * DURATION (inm-ss):83^ 



6/5/2006 3:11 AM FROM: 661-460-1986 Huffman Patent Group. LLC TO: 1-571-273-8300 PAGE: 031 OF 135 

EP 1 271 839 A2 





CPU 




Coprocessor 










Byte Sub Transformation 










Mix Cohjmn "trahsformatlon 





Fig , 3 



27 

PAGE 31/1 35 - RCVD AT tHOOM 5: 1 1 :15 AM [Eastern DayOgm Tbne] - 8VR:U8PTO-EFXRF-ef46 ' DN18:2738300 * C8ID:M140O-1 986 * DURATION (inin-ss):83-90' 



6/5/2006 3:11 AM FROM: 661-460-1986 Huffman Patent Group, LLC TO: 1-571-273-8300 PAGE: 032 OF 135 

EP 1 271 839 A2 




28 

PAGE 32/135 * RCVD AT 6/5/2008 5:11:15 AM CEastem DayUgttt Tbne] ' 8VR:U8PTaEFXRF-6M0 * DNI8:2738300 * C81D:661 460-1 988 * DURATION <mm-ss):83-50 



6/5/2006 3:11 AM FROM: 661-460-1986 Huffman Patent Group, LLC TO: 1-571-273-8300 PAGE: 033 OF 135 

EP 1 271 839 A2 




29 

PAGE 33/13» * RCVD AT «/3/200e 5:11 :15 AM [pastern DayUgtit Tbne] * 8VR:U8PTO-EFXRF-eM6 • DNI8:273S300 * C8ID:601 -400-1 988 * DURATION (mnvss):83-M 



6/5/2006 3:11 AH FROM: 661-460-1986 Huffman Patent Group, LLC TO: 1-571-273-8300 PAGE: 034 OF 135 



EP 1 271 839 A2 




<0 



PAGE 34/135 ' RCVD AT ftfSf2006 5:11 :15 AM mascem DayOgm Tbne] * 8VR:USPTO-EFXRF-eM6 * DN]8:2738300 ' C8I0:661 460-1 986 * DURATION (inin-ss):83-50 



6/5/2006 3:11 AM FROM: 661-460-1986 Huffman Patent Group, LLC TO: 1-571-273-8300 PAGE: 035 OF 135 

EP 1 271 839 A2 




31 

PACE 33/135 * RCVD AT e/SQ008 5:1 1 :15 AM [Eastern Daylight Time] * 8VR:U8PTMFXRF-6Ma * DN]8:2738300 * C8ID:661460-1986 * DURATION (inm-9S):83^ 



6/5/2006 3:11 AM FROM: 661-460-1986 Huffman Patent Group, LLC TO: 1-571-273-8300 PAGE: 036 OF 135 

EP 1271 839 A2 




32 

PAGE 36/135 - RCVD AT 6/5/20M 5:11:15 AM [pastern DayOght Time] ' 8VR:U8PTO-EFXRF-eM9 ' DNI8:2738300 * C8ID:661 460-1 988 * DURATION (min-ss):83-90 



6/5/2006 3:11 AM FROM: 661-460-1986 Huffman Patent Group, LLC TO: 1-571-273-8300 PAGE: 037 OF 135 

EP 1 271 839 A2 




S3 

PAGE 37/135 * RCVD AT 0/5/2006 9:1 1:15 AM [Easteni DayUght Tbne] ' 8VR:U8PTO-EFXRF-«M5 ' DNI8:2738300 * 0810:561*460-1986 * DURATION (mm-ss):83^ 



6/5/2006 3:11 AM FROM: 661-460-1986 Huffman Patent Group, LLC TO: 1-571-273-8300 PAGE: 038 OF 135 

EP 1 271 839 A2 



Matrix Operation 
( Decryption ) 



31 



'392 



1 Selector a1 — ^393 



I 



Inverse 
Operation 



-394 



Matrix Operation 
( Encryption ) 



'395 



~U i 2 
I Selectors h ^396 



391 



During Encryption 
selector A : 1 
selector B : 2 

During Decryption 
selector A : 2 

selector B : 1 



Fig. 10 



34 

PACE 38/135 * RCVD AT 8/9/2008 5:11:19 AM [Eastern DayUght Time] * 8VR:U8PTO-EFXRF-8/48 * ON18:2738300 " C8(D:881*480-1988 * DURATION (mni-ss):83-90 



6/5/2006 3:11 AM FROM: 661-460-1986 Huffman Patent Group, LliC TO: 1-571-273-8300 PAGE: 039 OF 135 

EP1 271 ^9A2 



401 



402- 



403' 



"7 






X4 




Xj 







X s ± 



6X0R 
Circuits 



[>0 4 NOT 

Circuits 



- ^ ^ H-^ H-' h^r^ ^ 

y7|ya|y5|y4!y3|y2|yt jyo 



Fig. 11 



405 
406 



407 





X 


6 


X 


5 X 


4 


X 


3 


^2 


X 


1 ^ 
















r 


J 






H 














e 


13X0R 
Circuits 




















2 NOT 

Girctiits 






r 


















y? 


ya 


Vs Y4 








^6 



Fig. 12 



7fS 

PMSE 3W135 * RCVD AT 8/Sa008 9:1 1 :1S AM [Eastern DayOgM Tbne] * 8VR:U8PTO-eFXRF-«M» ' 0108:2738300 * C8ID:M1 -480-1 988 * DURATION (innKSS):8»M 



6/5/2006 3:11 AN FROM: 661-460-19S6 Huffman Patent Croup, LU: TO: 1-571-273-8300 PAGE: 040 OF 135 

EP 1 271 839 A2 



SHIFT REGISTER 



411 



412- 



± ± — *_J 



X4 



^3 



5 XOR Circuits 



SHIFT REGISTER 



0 


1 


1 0 


0 


0 1 


1 



413 



y? 




Ys 








yi 





'414 



SHIFT REGISTER 



Fig. X3 



36 

PAGE 40/135 - RCVD AT 6/9/2008 9:11:15 AM [Eastern DayUght Tbne] ^ 8VR:U8PTO-EFXRF^e * DNI8:2738300 * C8ID:661 460*1 986 



* DURATION (inni-ss):83-50 



6/S/2006 3:11 AH FROM: 661-460-19S6 Huffman Patent Group, LLC TO: 1-S71-273-8300 PAGE: 041 OF 135 

EP 1 271 839 A2 



SHIFT REGISTER 



415' 
416' 



3 XOR Circuits 



X 


7 


^6 


X 


s 


^4 




X 


2 






-J 








' . , 



SHIFT REGISTER 



1 



1 



1 



417 



Ye 



Yi 



Vo 



SHIFT REGISTER 



Fig. 14 



37 

41/133 * RCVD AT 0/3/2008 3:1 1:13 AM (pastern DayDght Time] * 8VR:USPTO-EFXRF-6f46 * DN18:2738300 * C8ID:661 460-1 980 * DURATION <mm-ss):83-50 



6/5/2006 3:11 AM FROM: 661-460-1986 Huffman Patent Group, LLC TO: 1-571-273-8300 PACE: 042 OF 135 



PAGE 42/13d * RCVD AT &3/2008 5:1 1 :15 AM DEastem DayQght Tbne] * 8VR:U8PTO-EFXRF-QM6 • ON18:273S300 • C81D:M1-400-1988 * DURATION (inm-ss):8d-90 



6/5/2006 3:11 AM FROM: 661-460-1986 Huffman Patent Group, LLC TO: 1-571-273-8300 PAGE: 043 OF 135 



(19) 



J 



Europfilsches Patentamt 
European Patent Office 
Office europ6en des brevets 



(12) 



(88) Date of publication A3: 

23.04.2003 Bulletin 2003/17 



(11) EP 1 271 839 A3 

EUROPEAN PATENT APPLICATION 

(51) lntci7: H 04 L 9/06 



(43) Date of publication A2: 

02.01.2003 Bulletin 2003/01 

(21) Application number 01310953^ 

(22) Date of filing: 31.12.2001 



(84) Designated Contracting Statas: 

AT BE CH CY DE DK ES Fl PR GB GR IE IT 
MCNLPTSE-ra . 
. . Designated Extension Slates: 
AL LT LV MK RO SI 

(30) Priority: 28.06.2001 JP 2001195752 

(71) Applicant: FUJITSU LIMITED 
Kawasaki-6hi, Kanagawa 211-8586 (JP) 

(72) Inventors: 

• Okada, SouichI, c/o FUJITSU UWIITED 
Kawasakhshi, Kanagawa 211-8588 (JP) 

• Torn, Naoya, c/o FUJITSU LIMITED 
Kawasaki-Shi, ICanagawa 211-8588 (JP) 



LI LU 



• Hayaabi^Tombhiro, 

c/o Fujitsu Comp. Techn. Ltd. 
Kawasakl^shi, Kanagawa 211-8568 (JP) 

• Deguchi, Ctiikahiro, 

c/o Fujitsu Comp. Tectin. Ltd. 
Kawasalo-shi, ICahagawa 211-8588 (JP) 

• FuJIwara, YumI, c/o Fujitsu Comp. Techn. Ltd. 
Kawasakl-shi, Kanagawa 211-8588 (JP) 

(74) Representative: iiitchihg, Peter lUlatthew et a1 
Haseltine L.ake & Co., 
Imperial House, 
15-19 KIngsway 
London WC2B 6UD (GB) 



(54) AES Encryption circuit 



s 



D. 
lU 



(57) A round processing unit in an encryption circuit 
comprises: a first Round Key Addition circuit (204) that 
adds a round key value to input data; an intermediate 
register/Shift Row transformation circuit (206) that tem- 
porarily stores the output of the first Round Key Addition 
circuit (204) and executes Sliift Row transfomiation; a 
Byte Sub transformation circuit (207) into which the val- 
ues of the intermediate rBgistsr/Shift Row transforma- 
tlGn circuit (206) are inputted and which executes Byte 
Sub transfomiation; a second Round Key Addition cir- 
cuit (208) into which the values of the intemiedlate reg- 
ister/Shift Row transformation circuit (206) are inputted 
and which adds round key values; a Mbc Column trans- . 
.formation circuit (21 0) that executes Mix Column trans- 
fomriation upon the outputs of the Second Round Key 
Addition circuit (208); and a second selector (203) that 
outputs to the second Round Key Addition circuft (204) 
one of the outputs of a first selector (202), the Intenme- 
diate register/Shift Rowtransfbrmation circuit (206), the 
Byte Sub transfomnatlon circuit (207). and tfie Mbt Col- 
umn transfonnation circuit (21 0). Such an encryption cir- 
cuit reduces a scale of circuit and can achieve a certain 
level of his^-speed processing in the implementation of 
the AES bk>ck cipher. 
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